current community

your communities

more stack exchange communities

Stack Exchange
tour help
careers 2.0
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 2 down vote favorite

I'm building a private CMS for my own use and am at the point where I will start building out the username and password storing features. I am considering the possibility of storing all admin username, password, and user details in a multidimensional array within a PHP file, rather than using SQL to store them in a database. My reason for wanting to use this non-traditional approach of storing user info is the belief that this will make it harder for attackers to gain unauthorized access to user info (usernames, passwords, IP addresses, etc.), because I will not be connecting to a MySQL database.

Rough Outline of Code:

add_user.php

// set the last referrer session variable to the current page 
$_SESSION['last_referrer'] = 'add_user.php';

// set raw credential variables and salt
$raw_user = $_POST['user'];
$raw_pass = $_POST['pass'];
$raw_IP = $_SERVER['REMOTE_ADDR'];
$salt = '&^${QqiO%Ur!W0,.#.*';

// set the username if its clean, else its false
$username = (is_clean($raw_user)) ? $raw_user : false; // is_clean() is a function I will build to check if strings are clean, and can be appended to an array without creating a parsing error.

// set the salted, sanitized, and encrypted password if its clean, else its false
$password = (is_clean($raw_pass)) ? $salt . encrypt($raw_pass) : false; // encrypt() is a function I will build to encrypt passwords in a specific way

// if username and password are both valid and not false
if( $username && $password ) {

    // set the users IP address
    $IP = sanitize($raw_IP);

    // create a temporary key
    $temp_key = $_SESSION['temp_key'] = random_key(); 

    // random_key() is a function I will build to create a key that I will store in a session only long enough to use for adding user info to the database.php file

    // add user details array to main array of all users
    $add_user = append_array_to_file('database.php', array($username, $password, $IP)); 

    // append_array_to_file() is a function I will build to add array's to the existing multidimensional array that holds all user credentials. 

    // The function will load the database.php file using cURL so that database.php can check if the temp_key session is set, the append_array_to_file() function will stop and return false if the database.php file reports back that the temp_key is not set.

    // The function will crawl database.php to read the current array of users into the function, will then add the current user's credentials to the array, then will rewrite the database.php file with the new array. 

    // destroy the temporary session key
    unset($_SESSION['temp_key']);
}
else {
    return false;
}

database.php

$users_credentials = array(1 => array('username' => 'jack', 
                                      'password' => '&^${QqiO%Ur!W0,.#.*HuiUn34D09Qi!d}Yt$s',
                                      'ip'=> '127.0.0.1'), 
                           2 => array('username' => 'chris', 
                                      'password' => '&^${QqiO%Ur!W0,.#.*8YiPosl@87&^4#',
                                      'ip'=> '873.02.34.7')
                          );

I would then create custom functions to mimic SQL queries like SELECT for use in verifying users trying to log in.

My Questions

1) Is this a bad idea, and if so, why?

2) Am I correct in thinking that this will reduce the number of possibilities for hackers trying to gain unauthorized access, sniff/steal password's, etc., since I'm not connecting to a remote database?

share|improve this question
 
If using tools such as firebug or something, it could be possible to view the entire array. I would not recommend using this –  Daryl Gill Dec 16 '12 at 1:32
 
@DarylGill if that were true, then wouldn't any and every PHP script be unsafe/vurnerable? –  deraad Dec 16 '12 at 1:35
 
1) Yes - it's a lot of work for very little gain, and in fact may result in more risk. 2) Only if you have thought of every vulnerability others have and more. If you're really worried about traffic sniffing, tunnel your mysql connection over ssh. –  sonofagun Dec 16 '12 at 1:37
 
@deraad It is easy enough to open an array to be viewed by development consoles; then you've got to take into account how will you search the multi-dimensional array and return the correct dimension of said array; It is a lot of work, and you are better off thinking up a different method –  Daryl Gill Dec 16 '12 at 1:38
 
Chris' IP look weird... –  Yanick Rochon Dec 16 '12 at 1:38
show 9 more comments

2 Answers

up vote 2 down vote accepted

I don't see any advantage: Whether you use a text file, a mysql database or a php file ( === text file), they are all "databases" in the sense that they are files where you store your information. The difference is that an sql database is made for that stuff;

I do see disadvantages as there are more potential holes you would have to think about. Some examples (apart from the stuff mentioned in the comments):

  • You need to take care that the password file is always out of the web-root in case php dies on you;
  • You need to avoid passing around your password file in for example source control.

These are not things that are hard to solve, but using a normal database you don't even have to worry about them.

Apart from that are misunderstanding the purpose of the salt: If you just prepend it to the encrypted password, there is really no point in using a salt, you need to send it to your encrypt function to hash it with your text-password so that rainbow tables would have to be generated for each password instead of just one for your whole database. And for that reason you should also not use a single salt for all your users, each should have a different, unique salt.

share|improve this answer
 
So would you say that my approach using no remote database connection has makes no difference in terms of increasing security, as opposed to remotely connecting to a mySQL server database? –  deraad Dec 16 '12 at 2:58
 
+1 ! and what about hash databases? –  djay Dec 16 '12 at 5:27
 
@deraad No, I think using proven solutions like mysql in combination with prepared statements, modern hashing algorithms and generally accepted best security practices (the salt for example) will do more for security than a custom db solution could ever do and like I said, a custom solution means you have to account for everything yourself (what if your hashed password contains a backslash or quotes, the above issues, etc.) and I don't see any advantage, even if you get it right. –  jeroen Dec 16 '12 at 15:18
add comment
up vote 1 down vote

If you plan to store any kind of config data in a text file of any sort, as opposed to a traditional database, consider using an .ini file. If I'm not mistaken, you can also take advantage of storing it outside of your web root, just like the php.ini file.

Here's a great post explaining exactly how to go about this: Using ini files for PHP application settings

PHP Manual: get_cfg_var()

share|improve this answer
add comment

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.